Aug 27, 2018 17:15 UTC
Aug 27, 2018 at 17:15 UTC
Wallet Security: An Issue To Resolve For Ethereum dApp Browsers
BTC Wires: With the latest discovery of privacy issues relating to ethereum dApps, MetaMask has ceased to integrate Web3 into user browsers, implying that they’ll now need a new API to communicate with the user, i.e. a new postMessage API, according to Paul Bouchon, writing in Medium.
The updated protocol is already set by MetaMask, an Ethereum Wallet and dApp browser which by virtue of its nature allows the user to access the distributed web. MetaMask has introduced a web instance for the web page along with an Ethereum Service provider, which enables the dApp to reach the blockchain, track user address, and propose transactions.
Privacy Gaps Unveiled
The currently running generation of dApps has been discovered to have privacy faults. Malicious elements have the capability to penetrate into injected objects and track Ethereum users, despite the extension being locked. This makes the users vulnerable to a variety of attacks.
The severity of attacks has seen malicious objects launching phishing campaigns and invasive advertising which when clicked unlocks the extension. Once unlocked, the hostile elements get access to users’ Ethereum address and further to private information like history, balance, etc.
The dApp browsers including MetaMask, Status, imToken, and Mist need to install the planned updates to protect the privacy, especially while accessing third-party apps like Cryptokitty.
The dApp browsers will no longer inject any object/web instance or Ethereum provider in the web page. It will rather call for the user’s permission to launch an instance which will further pop-up the question to the user to either approve or disapprove access to the Ethereum Blockchain.
Developers Require User-Approved Providers
Developers can not expect Web3 elements to be calling for providers as the page loads, anymore. They have to send a command for the providers to request access from users and the dApp browsers can hence, call only user-approved providers to follow the further protocol. The dApp will then have to notify the user when the target provider / instance has been injected.
For the Web3.js API, an Ethereum provider will be injected post user approval, not a web instance. The dApp browsers that require Web3.js need to load the particular instance and not the one that the browser injects.
The change is a heavy move for MetaMask, Bouchon noted, but he also accepts that it is necessary to provide a secure ecosystem and that they definitely will make it private and safe to make user-centric web available.